endpoint security | Breaking Cybersecurity News | The Hacker News

USB drive attacks constitute a significant cybersecurity risk, taking advantage of the everyday use of USB devices to deliver malware and circumvent traditional network security measures. These attacks lead to data breaches, financial losses, and operational disruptions, with lasting impacts on an organization's reputation. An example is the Stuxnet worm discovered in 2010, a malware designed to target industrial control systems, specifically Iran's nuclear enrichment facilities. It exploited multiple zero-day vulnerabilities and spread primarily through USB drives, making it one of the first examples of a cyberattack with real-world physical effects. Stuxnet exposed the risks of removable media and raised global awareness of cybersecurity threats to critical infrastructure. How USB drive attacks propagate Attackers use various methods to deliver malicious payloads via USB drives, targeting individuals and organizations.  Drop attacks : Infected USB drives are deliberatel...

Remote Desktop Protocol (RDP) is an amazing technology developed by Microsoft that lets you access and control another computer over a network. It's like having your office computer with you wherever you go. For businesses, this means IT staff can manage systems remotely, and employees can work from home or anywhere, making RDP a true game-changer in today's work environment. But here's the catch: because RDP is accessible over the internet, it's also a prime target for unethical hackers. If someone gains unauthorized access, they could potentially take over your system. That's why it's so important to secure RDP properly. Why IT Teams Depend on RDP, Despite the Risks More than 50 percent of Kaseya's small and medium-sized businesses (SMBs) and Managed Service Providers (MSPs) customers use RDP for daily operations due to its efficiency and flexibility: Reduces Costs and Downtime – IT teams can resolve technical issues remotely, eliminating travel expenses and delays. Supports B...

In cybersecurity, confidence is a double-edged sword. Organizations often operate under a false sense of security , believing that patched vulnerabilities, up-to-date tools, polished dashboards, and glowing risk scores guarantee safety. The reality is a bit of a different story. In the real world, checking the right boxes doesn't equal being secure. As Sun Tzu warned, "Strategy without tactics is the slowest route to victory. Tactics without strategy is the noise before defeat." Two and a half millennia later, the concept still holds: your organization's cybersecurity defenses must be strategically validated under real-world conditions to ensure your business's very survival. Today, more than ever, you need Adversarial Exposure Validation (AEV) , the essential strategy that's still missing from most security frameworks. The Danger of False Confidence Conventional wisdom suggests that if you've patched known bugs, deployed a stack of well-regarded security tools, and passed the nec...

Universities and government organizations in North America and Asia have been targeted by a previously undocumented Linux malware called Auto-Color between November and December 2024, according to new findings from Palo Alto Networks Unit 42. "Once installed, Auto-color allows threat actors full remote access to compromised machines, making it very difficult to remove without specialized software," security researcher Alex Armstrong said in a technical write-up of the malware. Auto-color is so named based on the file name the initial payload renames itself post installation. It's currently not known how it reaches its targets, but what's known is that it requires the victim to explicitly run it on their Linux machine. A notable aspect of the malware is the arsenal of tricks it employs to evade detection. This includes using seemingly-innocuous file names like door or egg, concealing command-and-control (C2) connections, and leveraging proprietary encryption algo...

Cybersecurity researchers are warning of a new campaign that leverages cracked versions of software as a lure to distribute information stealers like Lumma and ACR Stealer. The AhnLab Security Intelligence Center (ASEC) said it has observed a spike in the distribution volume of ACR Stealer since January 2025. A notable aspect of the stealer malware is the use of a technique called dead drop resolver to extract the actual command-and-control (C2) server. This includes relying on legitimate services like Steam, Telegram's Telegraph, Google Forms, and Google Slides. "Threat actors enter the actual C2 domain in Base64 encoding on a specific page," ASEC said . "The malware accesses this page, parses the string, and obtains the actual C2 domain address to perform malicious behaviors." ACR Stealer, previously distributed via Hijack Loader malware, is capable of harvesting a wide range of information from compromised systems, including files, web browser data, ...

Ransomware doesn't hit all at once—it slowly floods your defenses in stages. Like a ship subsumed with water, the attack starts quietly, below the surface, with subtle warning signs that are easy to miss. By the time encryption starts, it's too late to stop the flood.  Each stage of a ransomware attack offers a small window to detect and stop the threat before it's too late. The problem is most organizations aren't monitoring for early warning signs - allowing attackers to quietly disable backups, escalate privileges, and evade detection until encryption locks everything down. By the time the ransomware note appears, your opportunities are gone.  Let's unpack the stages of a ransomware attack, how to stay resilient amidst constantly morphing indicators of compromise (IOCs), and why constant validation of your defense is a must to stay resilient. The Three Stages of a Ransomware Attack - and How to Detect It Ransomware attacks don't happen instantly. Attackers follow a st...

Cybersecurity researchers have detailed an attack that involved a threat actor utilizing a Python-based backdoor to maintain persistent access to compromised endpoints and then leveraged this access to deploy the RansomHub ransomware throughout the target network. According to GuidePoint Security , initial access is said to have been facilitated by means of a JavaScript malware downloaded named SocGholish (aka FakeUpdates), which is known to be distributed via drive-by campaigns that trick unsuspecting users into downloading bogus web browser updates. Such attacks commonly involve the use of legitimate-but-infected websites that victims are redirected to from search engine results using black hat Search Engine Optimization (SEO) techniques. Upon execution, SocGholish establishes contact with an attacker-controlled server to retrieve secondary payloads. As recently as last year, SocGholish campaigns have targeted WordPress sites relying on outdated versions of popular SEO plug...

Ivanti has rolled out security updates to address several security flaws impacting Avalanche, Application Control Engine, and Endpoint Manager (EPM), including four critical bugs that could lead to information disclosure. All the four critical security flaws, rated 9.8 out of 10.0 on the CVSS scale, are rooted in EPM, and concern instances of absolute path traversal that allow a remote unauthenticated attacker to leak sensitive information. The flaws are listed below - CVE-2024-10811 CVE-2024-13161  CVE-2024-13160, and CVE-2024-13159 The shortcomings affect EPM versions 2024 November security update and prior, and 2022 SU6 November security update and prior. They have been addressed in EPM 2024 January-2025 Security Update and EPM 2022 SU6 January-2025 Security Update. Horizon3.ai security researcher Zach Hanley has been credited with discovering and reporting all four vulnerabilities in question. Also patched by Ivanti are multiple high-severity bugs in Avalanche vers...

Palo Alto Networks has released software patches to address several security flaws in its Expedition migration tool, including a high-severity bug that an authenticated attacker could exploit to access sensitive data. "Multiple vulnerabilities in the Palo Alto Networks Expedition migration tool enable an attacker to read Expedition database contents and arbitrary files, as well as create and delete arbitrary files on the Expedition system," the company said in an advisory. "These files include information such as usernames, cleartext passwords, device configurations, and device API keys for firewalls running PAN-OS software." Expedition, a free tool offered by Palo Alto Networks to facilitate migration from other firewall vendors to its own platform, reached end-of-life (EoL) as of December 31, 2024. The list of flaws is as follows - CVE-2025-0103 (CVSS score: 7.8) - An SQL injection vulnerability that enables an authenticated attacker to reveal Expedition...

It's time once again to pay our respects to the once-famous cybersecurity solutions whose usefulness died in the past year. The cybercriminal world collectively mourns the loss of these solutions and the easy access they provide to victim organizations. These solutions, though celebrated in their prime, succumbed to the twin forces of time and advancing threats. Much like a tribute to celebrities lost in the past year, this article will look back at a few of cybersecurity's brightest stars that went dark in the past year.  1. Legacy Multi-Factor Authentication (MFA) Cause of Death: Compromised by sophisticated phishing, man-in-the-middle (MitM), SIM-swapping, and MFA prompt bombing attacks. The superstar of access security for more than twenty years, legacy MFA solutions enjoyed broad adoption followed by almost-universal responsibility for cybersecurity failures leading to successful ransomware attacks. These outdated solutions relied heavily on SMS or email-based codes o...

Fortinet has issued an advisory for a now-patched critical security flaw impacting Wireless LAN Manager (FortiWLM) that could lead to disclosure of sensitive information. The vulnerability, tracked as CVE-2023-34990, carries a CVSS score of 9.6 out of a maximum of 10.0. It was originally fixed by Fortinet back on August 18, 2023, but without a CVE designation. The list of supported FortiOS versions was updated in early September. "A relative path traversal [CWE-23] in FortiWLM may allow a remote unauthenticated attacker to read sensitive files," the company said in an alert released Wednesday. However, according to a description of the security flaw in the NIST's National Vulnerability Database (NVD), the path traversal vulnerability could also be exploited by an attacker to "execute unauthorized code or commands via specially crafted web requests." The flaw impacts the following versions of the product - FortiWLM versions 8.6.0 through 8.6.5 (Fixed i...

Run by the team at orchestration, AI, and automation platform Tines, the Tines library contains pre-built workflows shared by real security practitioners from across the community, all of which are free to import and deploy via the Community Edition of the platform.  Their bi-annual "You Did What with Tines?!" competition highlights some of the most interesting workflows submitted by their users, many of which demonstrate practical applications of large language models (LLMs) to address complex challenges in security operations. One recent winner is a workflow designed to automate CrowdStrike RFM reporting. Developed by Tom Power, a security analyst at The University of British Columbia, it uses orchestration, AI and automation to reduce the time spent on manual reporting. Here, we'll share an overview of the workflow, plus a step-by-step guide for getting it up and running. The problem - time-consuming reporting The workflow's builder, Tom Power, explains, "The CrowdStrike ...